My example of Time-lock-puzzles-and-timed-release-Crypt (cpp)

The puzzle is designed to foil attempts of a solver to exploitparallel or distributed computing to speed up the computation. Thecomputation required to solve the puzzle is "intrinsicallysequential".

The problem is to compute 2^(2^t) (mod n) for specified values of tand n. Here n is the product of two large primes, and t is chosen toset the desired level of difficulty of the puzzle.

Note that the puzzle can be solved by performing t successivesquarings modulo n, beginning with the value 2. That is, set W(0) = 2 W(i+1) = (W(i)^2) (mod n) for i>0,and compute W(t). There is no known way to perform this computationmore quickly without knowing the factorization of n.

The value of t was chosen to take into consideration the growth incomputational power due to "Moore's Law". Based on the SEMATECHNational Technology Roadmap for Semiconductors (1997 edition), we canexpect internal chip speeds to increase by a factor of approximately13 overall up to 2012, when the clock rates reach about 10GHz. Afterthat improvements seem more difficult, but we estimate that anotherfactor of five might be achievable by 2034. Thus, the overall rate ofcomputation should go through approximately six doublings by 2034.

We estimate that the puzzle will require 35 years of continuouscomputation to solve, with the computer being replaced every year bythe next fastest model available. Most of the work will really bedone in the last few years, however.

An interesting question is how to protect such a computation fromerrors. If you have an error in year 3 that goes undetected, you maywaste the next 32 years of computing. Adi Shamir has proposed a slickmeans of checking your computation as you go, as follows. Pick asmall (50-bit) prime c, and perform the computation modulo cn ratherthan just modulo n. You can check the result modulo c whenever youlike; this should be a extremely effective check on the computationmodulo n as well.

In order to allow the LCS director in the year 2034 (or whenever) toverify a submitted solution, we have arranged things so that solvingthe puzzle also enables the solver to factor the modulus n, asdescribed below.

Of course, one way to break the puzzle is to factor the modulus ndirectly. But we have chosen a 2048-bit modulus, which is unlikely tobe factored in the given time frame without a breakthrough in the artof factoring. Just as a failure of Moore's Law could make the puzzleharder than intended, a breakthrough in the art of factoring wouldmake the puzzle easier than intended.